In this series so far, we’ve seen how email authentication is a great thing at stopping phishing under some circumstances, and where it isn’t that useful in other circumstances. A circumstance where it isn’t that useful is a variant of Business Email Compromise (BEC) that we call an Impersonation Attack. An Impersonation Attack is when…

So, in the past couple of posts, I’ve talked about how email authentication is not that great against phishing attacks that use random parameters in the sender, but is well-designed to work against springboard spear-phishing attacks. There’s another scenario where it is simultaneously well-positioned to protect against spear-phishing, yet not in a good position to…

I’ve got a story for you. As a security person, it’s a little disturbing. I was driving in the car with my wife yesterday who works in the health care industry (she’s not a doctor). She was telling me that earlier that day, she was trying to email a file to some other organization and…

As I was saying in my other blog post about email authentication, and how it struggles to stop random IT phishing attacks, there is a type of attack that it is great at stopping – springboard attacks. What do I mean by a springboard attack? I use the term in the context of “Business Email Compromise”…

On this blog, I’ve written a lot about email authentication and preached its virtues. If you are a domain owner, you should definitely set up SPF, DKIM, and DMARC records both so that emails to you can be identified between authentic and not, and so that other email receivers (e.g., Gmail, Hotmail/Outlook.com, Comcast, etc.) can…

Introduction It has now been about 8 months since we released our antispoofing protection in Office 365, a feature that defends against Business Email Compromise, where the From and To domains are the same. You can read more about that feature at http://aka.ms/AntispoofingInOffice365. To summarize, it defends against others spoofing your domain in the From:…

If you’re a user in Hotmail, Outlook.com, or any other of Microsoft’s consumer email services, you may notice that it evaluates DKIM a little differently than you might expect (you would only notice this mostly as someone who is trying to troubleshoot delivery, as an average user you probably wouldn’t notice it at all unless…

Recently, I’ve been seeing a spike in customer escalations saying that messages that aren’t marked as spam are nevertheless getting sent to the Junk Mail folder. This is despite the message headers indicating that the message is non-spam, that is, the X-Forefront-Antispam-Report header says “SFV:NSPM” (Spam Filter Verdict: Non-spam) and “SCL:1”. The most common reason…

In case you hadn’t noticed, Microsoft recently published a DMARC record that says p=quarantine: _dmarc.microsoft.com. 3600 IN TXT “v=DMARC1; p=quarantine; pct=100; rua=mailto:d@rua.agari.com; ruf=mailto:d@ruf.agari.com; fo=1” This means that any sender transmitting email either into Microsoft’s corp mail servers or to any other domain that receives email, and the message is spoofed (it doesn’t pass SPF or…

One of the changes to go into Office 365 in the past year is an antispam rule that rejects on messages with an invalid From: address. When this occurs, the message is rejected with: 550 5.7.512 Access denied, message must be RFC 5322 section 3.6.2 compliant and include a valid From address If you look…

Regularly, Office 365 is asked by other email receivers about the way our mail servers and IP addresses are set up, and the need to conform to a particular standard. That standard (which is more of a convention implemented by some receivers, not all of them) is that the IPs have Forward-Confirmed Reverse DNS, and these also…

One of the ways in which Exchange Online detects spam, malware, and phishing is through URL filtering. We use a variety of sources, you can find them here: https://technet.microsoft.com/en-us/library/dn458545(v=exchg.150).aspx We use URL reputation lists in the following way (including but not limited to): At time-of-scan, if a message contains a URL that is on one of…

Part 1 – There’s more to me than just fighting spam If all you know of me is through this blog, then you’ll know I’ve been involved in the fight against spam, malware, and phishing for over a decade. On the other hand, those of you who know me in person or have checked out…

This post doesn’t have anything to do with cyber security. It’s one of those “It’s my blog and I can write what interests me” posts. A couple of years ago I read Robert Cialdini’s book Influence: The psychology of persuasion. It’s considered one of the classics on how to persuade other people to your point of…